问题现象下游mosdns请求上游smartdns doh 服务器时候出现400 <stron

mosdns所在的系统信任smartdns证书的根证书吗？ <div class="snippet-clipboard-content not

那么我可能是遇到了其他问题 <div class="snippet-clipboard-content notranslate position-relative

DOH 服务器是不是有问题，请求会出现400 about smartdns HOT 16 CLOSED

bboysoulcn commented on June 11, 2024

DOH 服务器是不是有问题，请求会出现400

from smartdns.

Comments (16)

pymumu commented on June 11, 2024 1

代码增加了urldecode调用。

from smartdns.

PikuZheng commented on June 11, 2024

~~mosdns所在的系统信任smartdns证书的根证书吗？~~

[2024-02-18 04:59:49,727][DEBUG][     dns_server.c:7825] decode query failed.
[2024-02-18 04:59:49,727][DEBUG][     dns_server.c:7921] process one request failed.
[2024-02-18 04:59:49,727][DEBUG][     dns_server.c:7988] process tcp request failed.
[2024-02-18 04:59:49,727][DEBUG][     dns_server.c:8165] process TLS packet from xxxxxxxxxxxxx failed.
[2024-02-18 04:59:49,728][DEBUG][     dns_server.c:8592] dns server process failed.

测试了一下post方式是好的但是get方式对于base64处理可能有问题 #1640 @pymumu

from smartdns.

pymumu commented on June 11, 2024

把-I去掉，不支持HEAD方法。
另外smartdns目前也不支持HTTP2.

from smartdns.

PikuZheng commented on June 11, 2024

把-I去掉，不支持HEAD方法。另外smartdns目前也不支持HTTP2.

试过了不加headers也一样是400,。另外浏览器直接打开也是400

from smartdns.

PikuZheng commented on June 11, 2024

把-I去掉，不支持HEAD方法。另外smartdns目前也不支持HTTP2.

找到原因了，按照doh的规范，base64最后补位的“=”会被删掉。smartdns在处理时似乎没有补位，这导致一些网址能查询，另一些查不了（比如www.taobao.com查报400，www1.taobao.com正常

from smartdns.

pymumu commented on June 11, 2024

=是padding对齐用的，计算长度的时候，会减掉相应的=个数。这个base64解码函数在spki-pin的时候也是这个函数，不应该有问题。

smartdns/src/util.c

Lines 979 to 1005 in 2c9ca2e

 int SSL_base64_decode(const char *in, unsigned char *out, int max_outlen) 

 { 

 size_t inlen = strlen(in); 

 int outlen = 0; 

 if (max_outlen < (int)inlen / 4 * 3) { 

 goto errout; 

 } 

 if (inlen == 0) { 

 return 0; 

 } 

 outlen = EVP_DecodeBlock(out, (unsigned char *)in, inlen); 

 if (outlen < 0) { 

 goto errout; 

 } 

 /* Subtract padding bytes from |outlen| */ 

 while (in[--inlen] == '=') { 

 --outlen; 

 } 

 return outlen; 

 errout: 

 return -1; 

 }

我简单测试了一下，是正常的，没有问题，用的如下命令。

curl -k -H 'accept: application/dns-message' -v 'https://192.168.1.1:843/dns-query?dns=AAABAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB' | hexdump -C

curl -I 是指示用HEAD方法，DOH没有描述说支持HEAD方法。

另外，chrome，firefox，edge默认应该是POST方法，不是GET方法，这几个浏览器我验证是正常的。
不清楚你用了什么浏览器。

from smartdns.

PikuZheng commented on June 11, 2024

那么我可能是遇到了其他问题

Python 3.7.0 (v3.7.0:1bf9cc5093, Jun 27 2018, 04:59:51) [MSC v.1914 64 bit (AMD64)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> import dns.message,base64,requests
>>>
>>> domain = "www.taobao.com"
>>> r = requests.get("https://xxxxxxxxxxxxxxxx/dns-query?dns=" + base64.b64encode(dns.message.make_query(domain, "A").to_wire()).decode("UTF8").rstrip("="), verify=False)
>>> print(r)
<Response [400]>               <---------www.taobao.com 返回400
>>>
>>> domain = "www1.taobao.com"
>>> r = requests.get("https://xxxxxxxxxxxxxxxx/dns-query?dns=" + base64.b64encode(dns.message.make_query(domain, "A").to_wire()).decode("UTF8").rstrip("="), verify=False)
>>> print(r)
<Response [200]>               <---------www1.taobao.com 返回200
>>> print (dns.message.from_wire(r.content).answer)
[<DNS www1.taobao.com. IN CNAME RRset: [<tao.conf.cn.zb.v4.aserver.alibabacorp.com.gds.alibabadns.com.>]>, <DNS tao.conf.cn.zb.v4.aserver.alibabacorp.com.gds.alibabadns.com. IN A RRset: [<59.82.31.244>]>]
>>>
>>> domain = "www.163.com"
>>> r = requests.get("https://xxxxxxxxxxxxxxxx/dns-query?dns=" + base64.b64encode(dns.message.make_query(domain, "A").to_wire()).decode("UTF8").rstrip("="), verify=False)
>>> print(r)
<Response [400]>
>>>
>>> domain = "mail.163.com"
>>> r = requests.get("https://xxxxxxxxxxxxxxxx/dns-query?dns=" + base64.b64encode(dns.message.make_query(domain, "A").to_wire()).decode("UTF8").rstrip("="), verify=False)
>>> print(r)
<Response [200]>
>>> print (dns.message.from_wire(r.content).answer)
[<DNS mail.163.com. IN CNAME RRset: [<mail163.mail.ntes53.netease.com.>]>, <DNS mail163.mail.ntes53.netease.com. IN A RRset: [<123.126.96.214>]>]

目前观察是否返回400与域名长度有关

from smartdns.

pymumu commented on June 11, 2024

去掉.rstrip("=")

from smartdns.

PikuZheng commented on June 11, 2024

去掉.rstrip("=")

去掉后确实正常了，但应该删=啊？，否则应该转译用%3d

from smartdns.

PikuZheng commented on June 11, 2024

代码增加了urldecode调用。

我坚持应该处理去掉“=”，而不是转译。依据是RFC8484第11页

When using the GET method, the data payload for this media type MUST
be encoded with base64url [RFC4648] and then provided as a variable
named "dns" to the URI Template expansion. Padding characters for
base64url MUST NOT be included.

from smartdns.

pymumu commented on June 11, 2024

修正了一下。

from smartdns.

PikuZheng commented on June 11, 2024

修正了一下。

查询正确，但返回不正确。查询mail.163.com时返回是空白（post方式返回正确

from smartdns.

pymumu commented on June 11, 2024

这次应该好了。

from smartdns.

PikuZheng commented on June 11, 2024

我这里试是好了，楼主试一下最新版呢 @bboysoulcn

from smartdns.

bboysoulcn commented on June 11, 2024

我这里试是好了，楼主试一下最新版呢 @bboysoulcn

ok 我看下

from smartdns.

bboysoulcn commented on June 11, 2024

我这里试是好了，楼主试一下最新版呢 @bboysoulcn

应该可以了

from smartdns.

DOH 服务器是不是有问题，请求会出现400 about smartdns HOT 16 CLOSED

Comments (16)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent

	int SSL_base64_decode(const char in, unsigned char out, int max_outlen)
	{
	size_t inlen = strlen(in);
	int outlen = 0;

	if (max_outlen < (int)inlen / 4 * 3) {
	goto errout;
	}

	if (inlen == 0) {
	return 0;
	}

	outlen = EVP_DecodeBlock(out, (unsigned char *)in, inlen);
	if (outlen < 0) {
	goto errout;
	}

	/* Subtract padding bytes from \|outlen\| */
	while (in[--inlen] == '=') {
	--outlen;
	}

	return outlen;
	errout:
	return -1;
	}